Lucene search

K
NodejsUndici

12 matches found

CVE
CVE
added 2023/10/12 5:15 p.m.528 views

CVE-2023-45143

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.header...

3.9CVSS5.5AI score0.00078EPSS
CVE
CVE
added 2023/02/16 6:15 p.m.299 views

CVE-2023-24807

Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to nor...

7.5CVSS7.9AI score0.00309EPSS
CVE
CVE
added 2023/02/16 6:15 p.m.287 views

CVE-2023-23936

Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to u...

6.5CVSS6.9AI score0.00598EPSS
CVE
CVE
added 2022/07/19 9:15 p.m.215 views

CVE-2022-31150

undici is an HTTP/1.1 client, written from scratch for Node.js. It is possible to inject CRLF sequences into request headers in undici in versions less than 5.7.1. A fix was released in version 5.8.0. Sanitizing all HTTP headers from untrusted sources to eliminate \r\n is a workaround for this issu...

6.5CVSS7AI score0.00334EPSS
CVE
CVE
added 2022/08/12 11:15 p.m.212 views

CVE-2022-35949

undici is an HTTP/1.1 client, written from scratch for Node.js.undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request. If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1 js const undici = requ...

9.8CVSS7AI score0.00424EPSS
Web
CVE
CVE
added 2022/08/15 11:21 a.m.202 views

CVE-2022-35948

undici is an HTTP/1.1 client, written from scratch for Node.js.=

5.3CVSS6.4AI score0.00228EPSS
Web
CVE
CVE
added 2022/07/21 4:15 a.m.178 views

CVE-2022-31151

Authorization headers are cleared on cross-origin redirect. However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There are active users using cookie headers in undici. This may lead to accidental leakage of cookie to a 3rd-party site or a...

6.5CVSS5.1AI score0.00132EPSS
CVE
CVE
added 2024/04/04 3:15 p.m.110 views

CVE-2024-30261

Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the integrity option passed to fetch(), allowing fetch() to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

3.5CVSS4.2AI score0.00175EPSS
CVE
CVE
added 2024/04/04 4:15 p.m.103 views

CVE-2024-30260

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request(). This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

4.3CVSS4.8AI score0.00166EPSS
CVE
CVE
added 2024/02/16 10:15 p.m.98 views

CVE-2024-24758

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authentication headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarou...

4.5CVSS3.9AI score0.00123EPSS
CVE
CVE
added 2022/07/14 3:15 p.m.78 views

CVE-2022-32210

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain...

6.5CVSS6.3AI score0.00107EPSS
CVE
CVE
added 2024/02/16 10:15 p.m.53 views

CVE-2024-24750

Undici is an HTTP/1.1 client, written from scratch for Node.js. In affected versions calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. This issue has been addressed in version 6.6.1. Users are advised to upgrade. Users unable to upgra...

6.5CVSS6.2AI score0.00356EPSS